The first step is just saying, “We’re going to include security in the Agile definitions of done,” and once you’ve at least penetrated that level, which I don’t think a lot of people have, then they’re going to at least do the right things. You’re either going to start to build it either into the user stories or the acceptance testing.

But you can’t leave it to the end of the process. If you leave security acceptance testing toward the end (and naturally your schedule is going to slip) then you’ll get to the security testing and find there’s a lot more work to do. Then you’ll be in this unfortunate decision of either having to fix the security issues and let your schedule slip, or choose to let something go out the door that’s not secure.